Federal Desktop Core Configuration (FDCC) was mandated by the US Office of Management and Budget (OMB) in 2007 and provides a set of security standards that must be adhered to by all federal workstations and laptops running Windows XP or Vista.
FDCC evolved into the United States Government Configuration Baseline (USGCB) starting in 2010, although some agencies and contracts may still be under lingering FDCC compliance obligations. Consequently, the updated standard is now often referred to as "FDCC/USGCB" or "USGCB (FDCC)" for reference. FDCC/USGCB is not its own law; rather, it is a central requirement under FISMA (Federal Information Security Modernization Act).
Here's what you need to know about FDCC/USGCB compliance today and how Fortra can help you meet its requirements.
What is FDCC/USGCB?
FDCC, or Federal Desktop Core Configuration, was designed to improve the security of Windows desktop and laptop operating systems for every US federal government computer and any machine that wanted to connect to a federal office computer network. It includes security standards pertaining to a list of agreed-upon files, applications, services, and system functions common to Windows OS and central to core operations.
In 2007, NIST evolved the FDCC into the United States Government Configuration Baseline (USGCB), largely to accommodate Windows 7. As noted by NIST, "To better support configuration setting baseline guidance under the FDCC mandate, USGCB was created, and USGCB configuration settings replaced the original FDCC configuration settings for the existing supported platform baselines." For recognition, many still refer to the updated USGCB requirements as FDCC/USGCB, as mentioned above.
Because the Windows platform was purposely built to facilitate easy and even automatic or semi-automatic connections to other computers, the FDCC/USGCB configuration requirements seek to reverse those default connection capabilities and replace them with manual (or intentional) ones for added security. The Federal Desktop Core Configuration standards were created by NIST in collaboration with OMB, DHS, DOI, DISA, NSA, USAF, and Microsoft and are still maintained by NIST today (as the updated United States Government Configuration Baseline, or "FDCC/USGCB" as referred to in this blog).
Who – And What Systems - Must Comply with FDCC/USGCB?
All federal government agencies and contractors that access government networks are required to comply with FDCC/USGCB regulations. While compliance only applies to general-purpose systems like managed desktops and laptops ("workstations"), other specialized systems like embedded computers, specialized experimental systems, and process control systems may adhere to FDCC/USGCB standards for additional security.
Additionally, FDCC/USGCB compliance extends to contractor computers that run Windows 7, Windows XP, and Vista. These must be owned and operated by a US government contractor or in some way integrated into a federal system.
What Are the FDCC (USGCB) Requirements?
. Generally, FDCC/USGCB configurations:
- Block open connections in operating systems
- Disable unnecessary services
- Alter permissions on items
- Affect Group Policy Object (GPO) settings
- Change how log files are collected and recorded
There are over 450 Windows and 117 Internet Explorer FDCC/USGCB configuration settings in effect (see "USGCB Windows Settings" under "Documentation" on the NIST USGCB page). While a comprehensive list here is not possible, here are a few Windows requirements for context:
5. Turn off downloading of print drivers over HTTP | "To minimize the risk of users downloading drivers that include malicious code."
57. Turn off Windows Error Reporting | "To lower the risk of a user unknowingly exposing sensitive data."
101. Do not allow passwords to be saved | "To prevent the caching of user credentials."
102. Turn off downloading of enclosures | "To reduce the risk of a user unknowingly downloading malicious content."
124. Do Not Show First Use Dialogue Boxes | "To prevent the user from changing configuration settings."
While many FDCC/USGCB settings are widely applicable, not all are practical for small or home office (SOHO) computers (a significant number of the federal general-purpose workstations to which the requirements apply). For these cases, an FDCC deviation report can be submitted.
Tripwire Supports FDCC/USGCB Compliance
Ensuring Windows configuration settings remain secure, compliant, and consistent is the name of the game for meeting FDCC/USGCB requirements. An organization can apply the correct settings once, overhauling its entire configuration setup, only to experience configuration drift and have to do the whole process over again or at least redo a number of needle-in-a-haystack parts. Discovering which among the many settings are outdated or on which workstations they reside can be a monumental task.
Fortra's Tripwire integrity management solutions prevent configuration drift.
- A security configuration management (SCM) platform can offer continuous, centralized system hardening.
- Change monitoring tools can detect unauthorized changes to configuration settings in real-time, addressing vulnerabilities and even re-applying the correct configuration automatically.
- And Tripwire's managed cybersecurity services (Tripwire ExpertOps) can make the implementation of those 450-plus Windows settings that much easier, outsourcing operational tasks to experienced professionals.
With Tripwire integrity management and cybersecurity solutions, federal agencies that achieve FDCC/USGCB compliance can maintain FDCC/USGCB compliance as they move forward.
